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DETAILED ACTION 

1. This is in response to the amendment on 1 September 2005. 

2. Claims 1-26 are pending in the application. 

3. Claims 1-26 stand being rejected. 

Continued Examination Under 37 CFR L114 

4. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 
CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible 
for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been 
timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 
1.114. Applicant's submission filed on 1 September 2005 has been entered. 

Response to Arguments 

5. Applicant's arguments with respect to claims 1-26 have been considered but are moot in view 
of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 
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6, Claims 10-12 and 24-26 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Glass U.S. Patent No. 6,553,494 Bl. 

As to claim 10, Glass discloses a method of providing a certificate from a client to a third 
party server, the method comprising: 

receiving a request for a certificate from the third party server [column 4, 
lines 28-38]; 

forwarding the request to a biometric certification server (BCS) [column 
6, lines 7-60]; 

receiving a biometric identification from the client and forwarding the 
biometric identification to the BCS [column 6, lines 7-60]; 

if the biometric identification matches a registered user on the BCS, 
receiving a certificate including a public key of the client certified by the BCS 
[column 6, lines 7-60]; and 

forwarding the certificate to the third party server, thereby identifying the 
client to the third party server [column 6, lines 7-60], 
As to claim 11, Glass discloses detecting an access to a certification database by the 
server, as discussed above. Glass discloses inserting a temporary certification from the BCS into 
the certification database, as discussed above. Glass discloses generating a true certificate if the 
server chooses the temporary certification, as discussed above. 

As to claim 12, Glass discloses that the BCS generates a disposable public/private key 
pair in response to the request. Glass discloses that the BCS certifies the disposable public key 
of the user [column 7, lines 12-34]. 
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As to claim 24, Glass discloses an apparatus, comprising: 

crypto-server having a crypto-proxy interface for receiving a request for a 
cryptographic function from a client on a secure connection [column 6, lines 7- 
60]; 

an authentication engine to authenticate a user based on biometric data 
[column 6, lines 7-60]; 

a cryptographic engine to use the user's private key, as a virtual smart 
card, to perform a requested cryptographic function [column 6, lines 7-60]; and 

the crypto-proxy interface for returning data to the client, after the 
cryptographic functions are performed [column 6, lines 7-60]. 
As to claim 25, Glass discloses the cryptographic service is authenticating the user to 
another server [column 9, lines 17-52]. 

As to claim 26, Glass discloses that the cryptographic service is signing or encrypting 
data [column 6, lines 7-60]. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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7. Claims 1-4, 6-9, 22 and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Glass U.S. Patent No. 6,553,494 Bl in view of Ganesan U.S. Patent No. 5,535,276. 

As to claim 1, Glass discloses a client requesting a cryptographic service [column 6, lines 
7-60]. Glass discloses establishing a secure connection between the client and a biometric 
certification server (BCS) [column 6, lines 7-60]. Glass discloses receiving biometric data from 
a user [column 6, lines 7-60]. Glass discloses that the BCS performs the cryptographic service if 
the user is authenticated based on the biometric data [column 9, lines 17-52]. 

Glass does not teach generating a disposable public key/private key pair. 

Ganesan teaches generating a disposable public key/private key pair [column 8, lines 19- 

28]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Glass so that the public/private key pair would 
have been replaced by a disposable public key/private key pair. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Glass by the teaching of Ganesan, as described above, 
because it ensures that the key is not intercepted by a third party, by disposing of the key after its 
use [column 8, lines 19-28]. 

As to claim 2, Glass teaches that the cryptographic service is authenticating the user to 
another server [column 9, lines 17-52]. 

As to claim 3, Glass teaches certifying the public key. Glass teaches forwarding the 
certificate to the other server [column 9, lines 17-52], 
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As to claim 4, Glass teaches that the client receives data from the other server for signing 
with the user's private key. Glass teaches forwarding the data to the BCS. Glass teaches that the 
BCS signing the data with the user f s temporary private key [column 6, lines 7-60]. 

As to claim 6, Glass teaches detecting an access to a certification database of the client by 
another server [column 6, lines 7-60]. Glass teaches inserting a temporary certification from the 
BCS into the certification database of the client. Glass teaches generating a true certificate if the 
other server chooses the temporary certification [column 6, lines 7-60]. 

As to claim 7, Glass teaches that the cryptographic service is signing or encrypting data 
[column 7, lines 36-67]. 

As to claim 8, Glass teaches that retrieving a private key/public key pair for the user. 
Glass teaches performing the cryptographic service with the private or the public key [column 7, 
lines 36-67]. 

As to claim 9, Glass teaches detecting an access to a certificate database of the client, as 
discussed above. Glass teaches detecting the user attempting to perform a cryptographic activity 
[column 7, lines 36-67]. 

As to claim 22, Glass discloses a crypto-API (application program interface) for 
receiving cryptographic function requests [column 6, lines 7-60]. Glass discloses a 
cryptographic service provider for establishing a secure connection to a remote crypto-server 
[column 6, lines 7-60]. Glass discloses having the crypto-server perform the cryptographic 
function [column 6, lines 7-60]. Glass discloses a sensor for receiving biometric data from a user 
[column 4, lines 51-56]. Glass discloses that the biometric data is sent to the crypto-server to 
authenticate the user and that the remote crypto-server is to perform the requested cryptographic 
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function when the user is successfully authenticated using the biometric data [column 6, lines 7- 
60]. 

Glass does not teach generating a disposable public key/private key pair. 

Ganesan teaches generating a disposable public key/private key pair [column 8, lines 19- 

28]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Glass so that the public/private key pair would 
have been replaced by a disposable public key/private key pair. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Glass by the teaching of Ganesan, as described above, 
because it ensures that the key is not intercepted by a third party, by disposing of the key after its 
use [column 8, lines 19-28]. 

As to claim 23, Glass discloses a crypto-API (application program interface) for 
receiving cryptographic function requests [column 6 5 lines 7-60]. Glass discloses a 
cryptographic service provider for establishing a secure connection to a remote crypto-server. 
Glass discloses having the crypto-server perform the cryptographic function [column 6, lines 7- 
60]. Glass discloses a sensor for receiving biometric data from a user. Glass discloses that the 
biometric data sent to the crypto-server to authenticate the user [column 6, lines 7-60]. Glass 
discloses that the remote crypto-server comprises: a crypto-proxy interface for receiving a 
request for the cryptographic function from the client on the secure connection; an authentication 
engine for authenticating the user based on the biometric data; a cryptographic engine for 
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performing the cryptographic functions; and the crypto-proxy interface for returning data to the 
client, after the cryptographic functions are performed [column 6, lines 7-60]. 

Glass does not teach generating a disposable public key/private key pair. 

Ganesan teaches generating a disposable public key/private key pair [column 8, lines 19- 

28]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Glass so that the public/private key pair would 
have been replaced by a disposable public key/private key pair. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Glass by the teaching of Ganesan, as described above, 
because it ensures that the key is not intercepted by a third party, by disposing of the key after its 
use [column 8, lines 19-28]. 

8. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over Glass U.S. Patent 
No. 6,553,494 Bl and Ganesan U.S. Patent No. 5,535,276 as applied to claim 1 above, and 
further in view of Brickell et al U.S. Patent No. 6,553,494 Bl. 

As to claim 5, the Glass-Ganesan combination does not teach that the client generates a 
session key for use with the other server. The Glass-Ganesan combination does not teach 
encrypting the session key with a public key of the other server. The Glass-Ganesan 
combination does not teach that the client closes the secure connection between the client and the 
BCS once the session is established between the client and the other server. 

Brickell et al teaches that the client generates a session key for use with the other server. 
Brickell et al teaches encrypting the session key with a public key of the other server [column 8, 
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lines 31-47]. Brickell et al teaches that the client closes the secure connection between the client 
and the BCS once the session is established between the client and the other server [column 8, 
lines 31-47], 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified the Glass-Ganesan combination so that the client 
generated a session key for use with the other server. The session key would have been 
encrypted with the public key of the other server. The client would have closed the secure 
connection between the client and the BCS once the session was established between the client 
and the other server 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified the Glass-Ganesan combination by the teaching of 
Brickell et al because the examiner asserts that this prevents a third party from intercepting the 
session key. 

9. Claims 13-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over Glass U.S. 
Patent No. 6,553,494 Bl in view of Jakobsson U.S. Patent No. 6,587,946 Bl. 

As to claim 13, Glass discloses an authentication engine for authenticating the user based 
on biometric data [column 8, lines 5-50]. Glass discloses a cryptographic engine for performing 
the cryptographic functions [column 8, lines 5-50]. 

Glass does not teach a crypto-server having a crypto-proxy interface for receiving a 
request for a cryptographic function from a client on a secure connection. Glass does not teach 
that the crypto-proxy interface returns data to the client, after the cryptographic functions are 
performed. 
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Jakobsson teaches a crypto-server having a crypto-proxy interface for receiving a request 
for a cryptographic function from a client on a secure connection [column 5, lines 48-64]. 
Jakobsson teaches that the crypto-proxy interface returns data to the client, after the 
cryptographic functions are performed [column 6, lines 3-39]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Glass so that there would have been a crypto- 
server that would have had a crypto-proxy interface for receiving a request for a cryptographic 
function from a client on a secure connection. The crypto-proxy interface would have returned 
the data to the client, after the cryptographic functions was performed. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Glass by the teaching of Jakobsson because it is efficient, 
allows tight control over actions (by the use of quorum cryptography), does not require any pre- 
computation phase to set up shared keys, and has a trust model appropriate for a variety of 
settings [column 3, lines 50-58]. 

As to claim 14, Glass teaches that a database includes user credentials [column 6, lines 7- 
60]. Glass teaches that the authentication engine retrieving user biometric template from the 
database and comparing the biometric template to the biometric data received from the user 
[column 6, lines 7-60]. 

As to claim 15, Glass teaches a dynamic key generation engine for generating a 
temporary public key/private key pair, the key pair used for establishing a session between the 
client and another server, as discussed above. 
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As to claim 16, Glass teaches the cryptographic engine generating a certificate including 
the temporary public key, certified by the cryptoserver's private key [column 6, lines 7-60]. 

As to claim 17, Glass teaches that the dynamic key generation engine destroying the 
temporary key pair after the session between the client and the other server is successfully 
established [column 6, lines 7-60]. 

As to claim 18, Glass suggests a user self registration interface permitting a user to 
choose a handle and register a biometric template [column 5, lines 36-56]. 

As to claim 19, Glass teaches a registration engine for receiving biometric data from the 
user during a registration process. Glass teaches extracting the biometric template for the user. 
Glass teaches a user credential database for storing the handle and the biometric template of the 
user [column 5, lines 36-56]. 

As to claim 20, Glass teaches that the registration engine generates a persistent private 
key/public key pair. Glass teaches a database for storing the persistent private key/public key 
pair [column 7, lines 13-34]. 

As to claim 21, Glass teaches a database for storing a persistent private key/public key 
pair. Glass teaches that the cryptographic engine uses the persistent private key or public key 
when appropriate to perform the cryptographic functions, as discussed above. 
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Conclusion 



10. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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